Client Impersonation

Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to act on behalf of that client to access objects on the server or validate access to the client's own objects.

The Microsoft Windows API provides the following functions to begin an impersonation:

The
ImpersonateSelf function enables a thread to generate a copy of its own access token. This is useful when an application needs to change the security context of a single thread. For example, sometimes only one thread of a process needs to enable a privilege.

For most of these impersonations, the impersonating thread can revert to its own security context by calling the
RevertToSelf function. The exception is the RPC impersonation, in which the RPC server application calls
RpcRevertToSelf or
RpcRevertToSelfEx to revert to its own security context.